Google is giving out 10,000 free security keys to high-risks users, an announcement that came a day after the company warned 14,000 of its high-profile users that they could be targeted by the notorious Russia-based APT28 hacking group.
The moves were part of a larger push by Google in recent months to make cybersecurity a front-of-mind issue for many of its users at a time when the number of attacks – and their impacts – are increasing. Company officials also used the first week of October – which is Cybersecurity Awareness Month – to remind users of the company’s plan to enable two-factor authentication by default to many accounts, and that it will enable it for 150 million accounts before the end of 2021.
All of that comes less than two months after Google and other tech giants – including IBM, Apple, Amazon and Microsoft – in a meeting with President Biden and other administration officials promised to spend billions of dollars to boost cybersecurity capabilities.
‘Cybersecurity Is a Team Sport’
In an Oct. 8 blog post, Grace Hoyt, partnerships manager for Google’s Advanced Protection Program (APP), and Nafis Zebarjadi, product manager for account security, wrote that Google was part of a larger effort to ensure the security of organizations and individuals.
“Cybersecurity is a team sport – it requires more than just one company’s commitment,” Hoyt and Zebarjadi wrote. “That’s why we are constantly working to foster relationships with organizations outside of Google that are also committed to educating users and advancing cybersecurity.”
In Google’s case, that means partnering with organizations to enhance the security of those at the highest risk, such as politicians, journalists and human rights activists. “The more high risk users that we can get into a protected state, the safer we all are,” they wrote.
Google APP Available to All Users
Users enrolled in Google APP are protected against myriad online threats, including phishing attacks, where they can use security keys. Hoyt and Zebarjadi also noted that the holistic program also offers protection against malicious downloads like malware on both Chrome and Android devices and unauthorized access to their personal data on accounts like Gmail, Drive and Photos.
“APP is available to all users, but is specifically designed for individuals and organizations at higher risk of targeted online attacks,” they wrote.
Will Other Vendors Follow?
Ilia Kolochenko, founder of application security firm ImmuniWeb and a member of the Europol Data Protection Experts Network, said in a statement that Google’s effort to get 10,000 security keys into the hands of these high-risk targets is laudable and encouraged other major IT vendors to follow suit.
However, how effective Google’s efforts will be in protecting high-profile users is unclear, given the complexity of the global cybersecurity environment and the sophistication of professional cybercriminals and the resources of state-sponsored hacking groups, Kolochenko said.
“The shrewd threat actors will likely have no difficulty accessing the victims’ data while it resides in the device’s memory in an unencrypted format, successfully bypassing MFA [multi-factor authentication] and other security controls,” he said. “Moreover, the data oftentimes resides in several locations. For example, journalists frequently receive valuable reports and hints from whistleblowers who will now likely become the new target of cybercriminals.”
In addition, most data is backed up or shared across several organizations, such as IT vendors or accountants, who also will be targeted by bad actors, Kolochenko said. There also is the issue of countries with poor civil liberties protections, making citizens who refuse to cooperate with authorities – such as unlocking their devices – face additional threats.
Still, he noted, “the ongoing efforts undertaken by Google are certainly better than non-feasance and will definitely prevent some cyberattacks.”
Fancy Bear on the Attack
The APT28 group – also known as Fancy Bear – is believed to be ramping up attacks against certain people, organizations and accounts. Shane Huntley, director of Google Security’s Threat Analysis Group, in a series of tweets Oct. 7 said his group sent an “above average batch of government-backed security warnings” to about 14,000 Gmail users who were warned that they could be targets of a nation-state cyberespionage organization, believed to be APT28.
Huntley noted that the warnings did not mean the potential had been compromised and that the increased number of warnings come from a small number of “widely targeted campaigns” that Google had blocked.
“The warning really mostly tells people you are a potential target for the next attack so now may be a good time to take some security actions,” he wrote. “If you are an activist/journalist/government official or work in NatSec, this warning honestly shouldn’t be a surprise. At some point some govt backed entity probably will try to send you something.”
Two-Factor Authentication is Key
Google also is hoping to convince account holders to up their security game by adopting the company’s two-factor authentication capabilities to better protect their accounts.
“For most of us, passwords are the first line of defense for our digital lives,” AbdelKarim Mardini, group product manager for Chrome at Google, and Guemmy Kim, director of account security and safety, wrote in a blog post. “However, managing a set of strong passwords isn’t always convenient, which leads many people to look for shortcuts (i.e. dog’s name + birthday) or to neglect password best practices altogether, which opens them up to online risks.”
Google is trying to counteract that with offerings that are security by default, Mardini and Kim wrote. That includes its Password Management technology built into Chrome, Android and the Google App, which is designed to protect passwords across sites and apps that users access by enabling them to use strong and unique passwords without having to remember or repeat each one. Even in Apple’s iOS operating system, users can leverage Chrome to autofill saved passwords in aps.
A new feature in the Google app lets users access all of the passwords they’ve saved in Google Password Manager from the Google app menu.
Android, YouTube Users Get More Security
Google’s two-step verification (2SV) “is strongest when it combines both ‘something you know’ (like a password) and ‘something you have’ (like your phone or a security key),” Mardini and Kim noted.
Google will not only automatically enroll another 150 million Google users in the 2SV program but also require two million YouTube creators to turn it on.
In addition, Google is building security keys into Android devices and making them available in its Google Smart Lock app on Apple devices.
At the meeting at the White House in August, Google pledged to spend more than $10 billion over the next five years to strengthen cybersecurity – through such measures as expanding zero-trust programs, securing the software supply chain and improving open-source security – and to train 100,000 Americans in such fields as IT support and data analytics to learn skills involving data privacy and security.
Further reading: Could You Be a Ransomware Target? Here’s What Attackers Look For